Tuesday, March 2, 2010

JavaScript Injection is a technique that allows you alter the content of current web page without actually leaving the current web page. It is extremely useful when you want to spoof the contents that are sent to server using Forms.

Basics of JS Injection:

JS injection means inserting or executing a script. You can execute a script from the URL bar of the web page which you want to alter. To execute JS code, you must first clear the URL bar (Note: Don't press enter yet), that is, no http:// or anything else.

Javascript can be executed from URL using javascript: protocol.

Try following code in the URL bar of the web page to display your message.

javascript:alert("Hello World!");

If you saw a window pop-up and saying Hello World, then congrats, you successfully did a JS injection test.

Cookie Editing:

This time we will try penetrate one level deeper and we will try to modify server state.

One of the mechanism used to represent server state is using Cookies. Server identifies client state and authorization using Cookies. Therefore, it is worth to learn cookie alteration using JS injection technique.

To check the cookies set by web site, use following script at URL bar:

javascript:alert(document.cookie);

Above script will show you cookies set by web site. To modify any key=value pair, use following syntax:

javascript:void(document.cookie="Key=Value");

Above command can either alter existing Key=Value pair or add new Key=Value pair if it doesn't exists. To edit or alter information we use void( ) function of JavaScript.

For example, server set Authorization=no in Cookie and you want to modify this Key=value pair. Then you can use script given below:

javascript:void(document.cookie="Autorization=yes");

It is also useful to try an alert(document.cookie); script at the end of the same line to see what effect your altering had.

Form Modifications:

One way to edit values sent to web server from client using a Form is to store a web page on a local disk and modify its Form field values with whatever values you want and then submit the form to the server.

For example:

Following HTML code snippet shows that hidden field is submitted when a submit button is clicked on Form. If we want to modify email address to get data sent by email to webmaster.

<form action="/missions/basic/process.php" method="post">

<input type="hidden" name="to" value="webmaster@mywebsite.com" />

<input type="submit" value="Click to Submit" />

</form>

First, we need to store this web page on local disk, and then modify it as shown below.

However, sometimes the website checks to see if you actually submitted it from the website or not. To get around this, we can just edit the form using from javascript Injection.

Every form on a given webpage (unless named otherwise) is stored in the forms[x] array... where "x" is the number, in order from top to bottom, of all the forms in a page. Note that the forms start at 0, so the first form on the page would actually be 0, and the second would be 1 and so on.

Lets consider our previous form example:

<form action="/missions/basic/process.php" method="post">

<input type="hidden" name="to" value="webmaster@mywebsite.com" />

<input type="submit" value="Click to Submit" />

</form>

Note:Since this is the first form on the page, it is forms[0].

To check the value using JS, use following command:javascript:alert(document.forms[0].to.value)

In this case, It would pop up an alert that says "webmaster@mywebsite.com"

So here's how to Inject your email into it. You can use the same technique as shown earlier in the cookies editing :javascript:void(document.forms[0].to.value="altered@emailaddress.com");

Above script would change email address to altered@emailaddress.com. You can use alert( ) JavaScript function to check your work.

These are the most basic things you need to know about JS injection and useful in many cases.